npm - @shakecodeslikecray/whiterose - Versions diffs - 1.0.3 → 1.0.5 - Mend

@shakecodeslikecray/whiterose 1.0.3 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/cli/index.js CHANGED Viewed

@@ -2116,11 +2116,25 @@ var CoreScanner = class {
   executor;
   config;
   progress;
+  passErrors = [];
   constructor(executor, config = {}, progress = {}) {
     this.executor = executor;
     this.config = { ...DEFAULT_SCANNER_CONFIG, ...config };
     this.progress = progress;
   }
+  /**
+   * Get errors that occurred during the last scan.
+   * Returns an array of pass names and their error messages.
+   */
+  getPassErrors() {
+    return this.passErrors;
+  }
+  /**
+   * Check if any passes failed during the last scan.
+   */
+  hasPassErrors() {
+    return this.passErrors.length > 0;
+  }
   /**
    * Run a thorough 19-pass scan with findings flowing through pipeline:
    *
@@ -2134,6 +2148,7 @@ var CoreScanner = class {
   async scan(context) {
     const cwd = process.cwd();
     const startTime = Date.now();
+    this.passErrors = [];
     const pipeline = getFullAnalysisPipeline();
     const unitPasses = pipeline[0].passes;
     const integrationPasses = pipeline[1].passes;
@@ -2214,8 +2229,10 @@ var CoreScanner = class {
           this.report(`    \u2713 ${pass.name}: ${bugs.length} bugs`);
           return bugs;
         } catch (error) {
-          this.progress.onPassError?.(pass.name, error.message);
-          this.report(`    \u2717 ${pass.name}: ${error.message}`);
+          const errorMsg = error.message || String(error);
+          this.progress.onPassError?.(pass.name, errorMsg);
+          this.report(`    \u2717 ${pass.name}: ${errorMsg}`);
+          this.passErrors.push({ passName: pass.name, error: errorMsg });
           return [];
         }
       });
@@ -3089,7 +3106,7 @@ function extractIntentFromDocs(docs) {
     }
   }
   if (docs.readme) {
-    const featuresMatch = docs.readme.match(/##\s*Features?\s*\n([\s\S]*?)(?=\n##|\n---|\$)/i);
+    const featuresMatch = docs.readme.match(/##\s*Features?\s*\n([\s\S]*?)(?=\n##|\n---|$)/i);
     if (featuresMatch) {
       const featureLines = featuresMatch[1].split("\n").filter((line) => line.trim().startsWith("-") || line.trim().startsWith("*")).map((line) => line.replace(/^[-*]\s*/, "").trim()).filter((line) => line.length > 0);
       intent.features.push(...featureLines.slice(0, 20));
@@ -4327,6 +4344,9 @@ function loadAccumulatedBugs(cwd) {
     if (!Array.isArray(stored.bugs)) {
       stored.bugs = [];
     }
+    if (!stored.fingerprints || typeof stored.fingerprints !== "object") {
+      stored.fingerprints = {};
+    }
     stored.bugs = stored.bugs.map((b) => ({ ...b, kind: b.kind || "bug" }));
     return stored;
   } catch (error) {
@@ -5875,7 +5895,9 @@ var FixConfirm = ({ bug, dryRun, onConfirm, onCancel, onFixComplete }) => {
       setStatus("fixing");
       setProgressMessage("Starting agentic fix...");
       try {
-        const result = await onConfirm();
+        const result = await onConfirm((message) => {
+          setProgressMessage(message);
+        });
         if (result.falsePositive) {
           setFalsePositiveReason(result.falsePositiveReason || "The AI determined this bug is not real after analyzing the code.");
           setStatus("false-positive");
@@ -6019,11 +6041,11 @@ var App = ({ bugs, config, fixOptions, onFix, onExit }) => {
   };
   const [fixError, setFixError] = useState(null);
   const [lastFixedBugId, setLastFixedBugId] = useState(null);
-  const handleConfirmFix = async () => {
+  const handleConfirmFix = async (onProgress) => {
     if (selectedBug) {
       setFixError(null);
       setLastFixedBugId(selectedBug.id);
-      const result = await onFix(selectedBug);
+      const result = await onFix(selectedBug, onProgress);
       return result;
     }
     return { falsePositive: false };
@@ -6228,6 +6250,67 @@ function markBugAsFixed(bug, commitHash, cwd = process.cwd()) {
 }
 // src/core/fixer.ts
+var MAX_SARIF_TEXT_LENGTH = 2e3;
+var PROMPT_INJECTION_PATTERNS = [
+  // Attempts to override or ignore instructions
+  /ignore\s+(previous|all|above)\s+instructions?/i,
+  /disregard\s+(previous|all|above)\s+instructions?/i,
+  /forget\s+(previous|all|above)\s+instructions?/i,
+  // Attempts to define new roles or personas
+  /you\s+are\s+(now|actually)\s+/i,
+  /act\s+as\s+(a|an)\s+/i,
+  /pretend\s+(you|to\s+be)\s+/i,
+  // Attempts to inject system-level commands
+  /\[SYSTEM\]/i,
+  /\[INST\]/i,
+  /<\|system\|>/i,
+  /<\|assistant\|>/i,
+  /<\|user\|>/i,
+  // Attempts to break out with special markers
+  /###\s*(INSTRUCTION|SYSTEM|END|NEW)/i,
+  /```\s*(system|instruction)/i,
+  // Direct file operation injections
+  /delete\s+(all|the)\s+files?/i,
+  /rm\s+-rf\s+/i,
+  /remove\s+(all|every)\s+file/i,
+  // Exfiltration attempts
+  /send\s+(this|the|all)\s+(data|content|file)/i,
+  /upload\s+(to|this)/i,
+  /curl\s+.*\s+-d/i,
+  /fetch\s*\(\s*['"][^'"]*['"]\s*,\s*\{[^}]*method\s*:\s*['"]POST['"]/i
+];
+function sanitizeSarifText(text2, fieldName = "field") {
+  if (!text2 || typeof text2 !== "string") {
+    return "";
+  }
+  let sanitized = text2.length > MAX_SARIF_TEXT_LENGTH ? text2.substring(0, MAX_SARIF_TEXT_LENGTH) + `... [truncated ${fieldName}]` : text2;
+  for (const pattern of PROMPT_INJECTION_PATTERNS) {
+    if (pattern.test(sanitized)) {
+      sanitized = sanitized.replace(pattern, "[REDACTED: potential injection]");
+    }
+  }
+  sanitized = sanitized.replace(/```+/g, "`\u200B`\u200B`");
+  sanitized = sanitized.replace(/###/g, "#\u200B#\u200B#");
+  return sanitized;
+}
+function sanitizeSarifEvidence(evidence) {
+  if (!Array.isArray(evidence)) {
+    return [];
+  }
+  return evidence.filter((e) => typeof e === "string").slice(0, 10).map((e) => sanitizeSarifText(e, "evidence"));
+}
+function sanitizeSarifCodePath(codePath) {
+  if (!Array.isArray(codePath)) {
+    return [];
+  }
+  return codePath.slice(0, 20).map((entry, idx) => ({
+    step: typeof entry?.step === "number" ? entry.step : idx + 1,
+    file: sanitizeSarifText(String(entry?.file || ""), "codePath.file").substring(0, 500),
+    line: typeof entry?.line === "number" ? entry.line : 0,
+    code: sanitizeSarifText(String(entry?.code || ""), "codePath.code"),
+    explanation: sanitizeSarifText(String(entry?.explanation || ""), "codePath.explanation")
+  }));
+}
 function isPathWithinProject(filePath, projectDir) {
   const resolvedPath = resolve(projectDir, filePath);
   const relativePath = relative(projectDir, resolvedPath);
@@ -6291,7 +6374,7 @@ In: ${bug.file}:${bug.line}`
   }
   let agenticResult;
   try {
-    agenticResult = await runAgenticFix(bug, config, projectDir);
+    agenticResult = await runAgenticFix(bug, config, projectDir, options.onProgress);
   } catch (error) {
     return {
       success: false,
@@ -6331,7 +6414,7 @@ In: ${bug.file}:${bug.line}`
     commitHash
   };
 }
-async function runAgenticFix(bug, config, projectDir) {
+async function runAgenticFix(bug, config, projectDir, onProgress) {
   const providerCommand = getProviderCommand(config.provider);
   const prompt = buildAgenticFixPrompt(bug);
   const controller = new AbortController();
@@ -6385,9 +6468,13 @@ async function runAgenticFix(bug, config, projectDir) {
         }
       }
     } else if (config.provider === "claude-code") {
-      const result = await execa(
+      const args = ["--dangerously-skip-permissions", "-p"];
+      if (onProgress) {
+        args.push("--verbose", "--output-format", "stream-json");
+      }
+      const subprocess = execa(
         providerCommand,
-        ["--dangerously-skip-permissions", "-p"],
+        args,
         {
           cwd: projectDir,
           input: prompt,
@@ -6398,6 +6485,43 @@ async function runAgenticFix(bug, config, projectDir) {
           cancelSignal: controller.signal
         }
       );
+      if (onProgress && subprocess.stdout) {
+        let lineBuffer = "";
+        subprocess.stdout.on("data", (chunk) => {
+          const text2 = chunk.toString();
+          lineBuffer += text2;
+          const lines = lineBuffer.split("\n");
+          lineBuffer = lines.pop() || "";
+          for (const line of lines) {
+            const trimmed = line.trim();
+            if (trimmed) {
+              try {
+                const event = JSON.parse(trimmed);
+                if (event.type === "assistant" && event.message?.content) {
+                  for (const block of event.message.content) {
+                    if (block.type === "tool_use") {
+                      const toolName = block.name || "tool";
+                      const friendlyNames = {
+                        "Read": "Reading file",
+                        "Edit": "Editing file",
+                        "Write": "Writing file",
+                        "Bash": "Running command",
+                        "Glob": "Searching files",
+                        "Grep": "Searching content",
+                        "Task": "Running task"
+                      };
+                      const displayName = friendlyNames[toolName] || `Using ${toolName}`;
+                      onProgress(`${displayName}...`);
+                    }
+                  }
+                }
+              } catch {
+              }
+            }
+          }
+        });
+      }
+      const result = await subprocess;
       stdout = result.stdout || "";
       stderr = result.stderr || "";
     } else if (config.provider === "gemini") {
@@ -6567,8 +6691,8 @@ function generateSimpleDiff(original, modified, filename) {
 }
 async function startFixTUI(bugs, config, options, cwd) {
   return new Promise((resolve6) => {
-    const handleFix = async (bug) => {
-      const result = await applyFix(bug, config, options);
+    const handleFix = async (bug, onProgress) => {
+      const result = await applyFix(bug, config, { ...options, onProgress });
       if (result.falsePositive) {
         if (cwd) {
           removeBugFromAccumulated(cwd, bug.id);
@@ -6727,39 +6851,67 @@ function loadBugsFromSarif(sarifPath) {
   } catch (error) {
     throw new Error(`Failed to parse SARIF file: ${sarifPath}. File may be corrupted or malformed.`);
   }
-  return sarif.runs?.[0]?.results?.map((r, i) => {
+  if (!sarif || typeof sarif !== "object") {
+    throw new Error(`Invalid SARIF file: ${sarifPath}. Expected a JSON object.`);
+  }
+  const runs = sarif.runs;
+  if (!Array.isArray(runs) || runs.length === 0) {
+    return [];
+  }
+  const results = runs[0]?.results;
+  if (!Array.isArray(results)) {
+    return [];
+  }
+  return results.map((r, i) => {
+    if (!r || typeof r !== "object") {
+      throw new Error(`Invalid SARIF result at index ${i}: expected an object.`);
+    }
     const props = r.properties || {};
+    const rawTitle = r.message?.text || "Unknown bug";
+    const rawDescription = r.message?.markdown || r.message?.text || "";
+    const rawCodePath = r.codeFlows?.[0]?.threadFlows?.[0]?.locations?.map((loc, idx) => ({
+      step: idx + 1,
+      file: loc.location?.physicalLocation?.artifactLocation?.uri || "",
+      line: loc.location?.physicalLocation?.region?.startLine || 0,
+      code: "",
+      explanation: loc.message?.text || ""
+    })) || [];
+    const rawFile = r.locations?.[0]?.physicalLocation?.artifactLocation?.uri;
+    const file = typeof rawFile === "string" ? rawFile : "unknown";
+    const rawLine = r.locations?.[0]?.physicalLocation?.region?.startLine;
+    const line = typeof rawLine === "number" && Number.isFinite(rawLine) ? Math.floor(rawLine) : 0;
+    const rawEndLine = r.locations?.[0]?.physicalLocation?.region?.endLine;
+    const endLine = typeof rawEndLine === "number" && Number.isFinite(rawEndLine) ? Math.floor(rawEndLine) : void 0;
+    const rawId = r.ruleId;
+    const id = typeof rawId === "string" ? rawId : `WR-${String(i + 1).padStart(3, "0")}`;
+    const validatedKind = FindingKind.safeParse(props.kind);
+    const validatedCategory = BugCategory.safeParse(props.category);
+    const validatedConfidence = ConfidenceLevel.safeParse(props.confidence);
     return {
-      id: r.ruleId || `WR-${String(i + 1).padStart(3, "0")}`,
-      title: r.message?.text || "Unknown bug",
-      description: r.message?.markdown || r.message?.text || "",
-      file: r.locations?.[0]?.physicalLocation?.artifactLocation?.uri || "unknown",
-      line: r.locations?.[0]?.physicalLocation?.region?.startLine || 0,
-      endLine: r.locations?.[0]?.physicalLocation?.region?.endLine,
-      kind: props.kind || "bug",
+      id,
+      title: sanitizeSarifText(String(rawTitle), "title"),
+      description: sanitizeSarifText(String(rawDescription), "description"),
+      file,
+      line,
+      endLine,
+      kind: validatedKind.success ? validatedKind.data : "bug",
       severity: mapSarifLevel(r.level),
-      category: props.category || "logic-error",
+      category: validatedCategory.success ? validatedCategory.data : "logic-error",
       confidence: {
-        overall: props.confidence || "medium",
-        codePathValidity: props.codePathValidity || 0.8,
-        reachability: props.reachability || 0.8,
-        intentViolation: props.intentViolation || false,
-        staticToolSignal: props.staticToolSignal || false,
-        adversarialSurvived: props.adversarialSurvived || false
+        overall: validatedConfidence.success ? validatedConfidence.data : "medium",
+        codePathValidity: typeof props.codePathValidity === "number" ? props.codePathValidity : 0.8,
+        reachability: typeof props.reachability === "number" ? props.reachability : 0.8,
+        intentViolation: typeof props.intentViolation === "boolean" ? props.intentViolation : false,
+        staticToolSignal: typeof props.staticToolSignal === "boolean" ? props.staticToolSignal : false,
+        adversarialSurvived: typeof props.adversarialSurvived === "boolean" ? props.adversarialSurvived : false
       },
-      codePath: r.codeFlows?.[0]?.threadFlows?.[0]?.locations?.map((loc, idx) => ({
-        step: idx + 1,
-        file: loc.location?.physicalLocation?.artifactLocation?.uri || "",
-        line: loc.location?.physicalLocation?.region?.startLine || 0,
-        code: "",
-        explanation: loc.message?.text || ""
-      })) || [],
-      evidence: props.evidence || [],
-      suggestedFix: props.suggestedFix,
+      codePath: sanitizeSarifCodePath(rawCodePath),
+      evidence: sanitizeSarifEvidence(props.evidence),
+      suggestedFix: props.suggestedFix ? sanitizeSarifText(String(props.suggestedFix), "suggestedFix") : void 0,
       createdAt: (/* @__PURE__ */ new Date()).toISOString(),
       status: "open"
     };
-  }) || [];
+  });
 }
 async function loadBugFromGitHub(issueUrl, cwd) {
   try {
@@ -6802,10 +6954,12 @@ async function loadBugFromGitHub(issueUrl, cwd) {
     } else if (labels.some((l) => l.includes("leak") || l.includes("memory"))) {
       category = "resource-leak";
     }
+    const sanitizedTitle = sanitizeSarifText(String(issue.title || ""), "github.title");
+    const sanitizedBody = sanitizeSarifText(String(issue.body || ""), "github.body");
     return {
       id: `GH-${issueNumber}`,
-      title: issue.title,
-      description: issue.body || issue.title,
+      title: sanitizedTitle,
+      description: sanitizedBody || sanitizedTitle,
       file: fileMatch?.[1] || "",
       line: parseInt(lineMatch?.[1] || "1", 10),
       kind: "bug",
@@ -6999,12 +7153,24 @@ async function fixSingleBug(bug, config, options, cwd) {
       process.exit(0);
     }
   }
-  const spinner6 = p3.spinner();
-  spinner6.start(options.dryRun ? "Generating fix preview..." : "Applying fix...");
+  console.log();
+  console.log(chalk3.cyan("  \u25C6 Starting agentic fix..."));
+  console.log();
   try {
-    const result = await applyFix(bug, config, options);
+    let lastMessage = "";
+    const result = await applyFix(bug, config, {
+      ...options,
+      onProgress: (message) => {
+        if (message !== lastMessage) {
+          lastMessage = message;
+          const truncated = message.length > 72 ? message.substring(0, 72) + "..." : message;
+          process.stdout.write(`\r\x1B[K  ${chalk3.dim("\u203A")} ${chalk3.gray(truncated)}`);
+        }
+      }
+    });
+    process.stdout.write("\r\x1B[K");
     if (result.success) {
-      spinner6.stop(options.dryRun ? "Fix preview generated" : "Fix applied");
+      console.log(chalk3.green("  \u2713 Fix applied successfully"));
       if (result.diff) {
         console.log();
         console.log(chalk3.dim("  Changes:"));
@@ -7030,12 +7196,12 @@ async function fixSingleBug(bug, config, options, cwd) {
       }
       p3.outro(chalk3.green("Fix complete!"));
     } else {
-      spinner6.stop("Fix failed");
+      console.log(chalk3.red("  \u2717 Fix failed"));
       p3.log.error(result.error || "Unknown error");
       process.exit(1);
     }
   } catch (error) {
-    spinner6.stop("Fix failed");
+    console.log(chalk3.red("  \u2717 Fix failed"));
     p3.log.error(error.message);
     process.exit(1);
   }